estimating password strength · ♦ test passwords against a dictionary – even a big dictionary...
TRANSCRIPT
1
Estimating Password Strength(fools rush in where angels fear to tread- this approach is preliminary and may change)
Bill [email protected]
Draft for commentSubject to change
2Draft for commentSubject to change
Disclaimer - Preliminary
♦ This is a proposal for review and comment.♦ It is subject to change, large and small
– Can easily adjust threshold– May also significantly change approach– There probably is no right solution
3Draft for commentSubject to change
Review the Bidding - Assurance Levels♦ Draft GSA/OMB guidance defines 4 assurance
levels– http://a257.g.akamaitech.net/7/257/2422/14mar200108
00/edocket.access.gpo.gov/2003/pdf/03-17634.pdf♦ Assurance level needed determined by
consequences of authentication error– Inconvenience– Financial loss– Distress– Standing or reputation– Harm to agency programs or reputation– Civil or criminal violations– Personal safety
4Draft for commentSubject to change
Assurance Levels♦ Level 1 – Minimal Assurance
– Little or no assurance on the asserted identity – Authentication Error might at worst result in
• minimal inconvenience, financial loss, distress, damage to reputation
• no risk of harm to agency programs or public interests, release of sensitive information, civil or criminal violations or to personal safety
5Draft for commentSubject to change
Assurance Levels♦ Level 2 – Low Assurance
– “On the balance of probabilities” there is confidence in the asserted identity
– Authentication Error might at worst result in• minor inconvenience, financial loss, distress,
damage to reputation• no risk of harm to agency programs, public interests,
release of sensitive information or personal safety• civil or criminal violations not normally subject to
agency enforcement efforts
6Draft for commentSubject to change
Assurance Levels
♦ Level 3 – Substantial Assurance– Transactions that are “official in nature”– High confidence in the asserted identity– Authentication error might at worst result in
• significant inconvenience, financial loss, distress, damage to reputation, harm to agency programs & public interests
• a significant release of sensitive information • civil or criminal violations normally subject to
agency enforcement efforts• no risk to personal safety
7Draft for commentSubject to change
Assurance Levels
♦ Level 4 – High Assurance– Very high confidence in the asserted identity– Authentication error might result in
• considerable inconvenience, financial loss, distress, damage to reputation, harm to agency programs & public interests
• extensive release of sensitive information • considerable risk of an egregious criminal act• civil or criminal violations of special importance to
agency enforcement efforts• risk to personal safety
8Draft for commentSubject to change
Passwords and Assurance levels
♦ Level 1 – PINs ♦ Level 2 – “Strong” passwords done
tolerably well– What’s a strong password?
♦ Level 3 – very strong passwords done really well– What’s very strong and done really well?
♦ Level 4 – you gotta be kidding
9Draft for commentSubject to change
What is a password?♦ Password is a secret character string you commit
to memory.– Secret and memory are the key words here– As a practical matter we often do write our passwords
down, whatever we are supposed to do with them, and when we do write them down we have to protect them
♦ A password is really a (generally weak) key– People can’t remember good keys
♦ Enrolment and verification phases
10Draft for commentSubject to change
Passwords will ever be with us
♦ Multifactor authentication– Something you are– Something you have– Something you know
♦ Problem comes when we depend on passwords as the only factor in remote authentication
11Draft for commentSubject to change
Password Hell♦ We all are asked to remember far too many
passwords– Forced to change them frequently
• often peremptorily forced to change a password without warning when we try to log on
– Every system has different rules for passwords– Often use them only very infrequently– May be given arbitrary, randomly generated
passwords • who can remember these?
12Draft for commentSubject to change
Simplification
♦ We’re only concerned with on-line authentication to a server, not passwords used, for example to encrypt or lock local files
♦ Assume that the authentication server is secure and can impose rules to detect or limit attacks
13Draft for commentSubject to change
Attacks on Passwords♦ In-band
– Attacker repeatedly tries passwords until he authenticates/gets access
• guessing, dictionary, or brute force exhaustion– Can’t entirely prevent these attacks
• can ensure they don’t succeed very often
♦ Out of band – everything else– Eavesdropper– Man-in-the-middle– Shoulder surfing– Social engineering
14Draft for commentSubject to change
Password Strength♦ Define password strength in terms of probability
of a determined attacker discovering a selected user’s password by an in-band attack– Strength is then a function of both the “entropy” of the
password and the way unsuccessful trials are limited– Many strategies for limiting unsuccessful trials
• 3 strikes and you’re out• hang up after an unsuccessful trial• some total number of unsuccessful trials and lock account• change passwords periodically• notify user of successful and unsuccessful login attempts
– Trade-offs with help desk costs
15Draft for commentSubject to change
Strong Password Definition
♦ The probability of an attacker with no a priori knowledge of the password finding a given user’s password by an in-band attack shall not exceed one in 216 (1/65,563) over the life of the password– The more entropy required in the password, the
more trials the system can allow– Note that there is not necessarily any particular
time limit
16Draft for commentSubject to change
Estimating Password Entropy♦ Entropy of a password is the uncertainty an
attacker has in his knowledge of the password, that is how hard it is to guess it.
♦ Easy to compute entropy of random passwords ♦ We typically state entropy in bits. A random 32-
bit number has 232 values and 32-bits of entropy♦ A password of length l selected at random from
the keyboard set of 94 printable (nonblank) characters has 94l values and about 6.55×l bits of entropy.
∑ ==−=x
xXPxXPXH )(log)(:)( 2
17Draft for commentSubject to change
User Selected Passwords♦ People have a hard time remembering random
passwords– So we may let them pick their own
♦ People pick bad passwords– Passwords that are easy to remember are often easy to
guess• use common words• frequency distributions of characters• phone number, street address, SSN, dog’s name, birthday…
– Sophisticated attacker takes advantage of this with (possibly large) dictionaries of common passwords
18Draft for commentSubject to change
Entropy of User Chosen Pswd♦ No really rigorous way to estimate♦ Propose starting from Shannon’s estimate of
entropy in English text– C. E. Shannon, “Prediction and Entropy of
Printed English” Bell System Technical Journal, v.30, n.1, 1951, pp. 50-64
• One of the most widely referenced papers in computing
• Seems to be relatively little progress beyond Shannon.
19Draft for commentSubject to change
Shannon’s estimate of entropy♦ Shannon used 26 English letters plus space
– Left to their own devices user will choose only lower case letters.
♦ Shannon’s method involves knowing the i-1 firstletters of a string of English text; how well can we guess the ith letter?
♦ Entropy per character decreases for longer strings– 1 character 4.7 bits/character– ≤ 8 characters 2.3 bits per character– order of 1 bit/char for very long strings
20Draft for commentSubject to change
Use Shannon as Lower Bound
♦ Users are supposed to pick passwords that don’t look like ordinary English– But, of course, they want to remember them
♦ Attacker won’t have a perfect dictionary or learn much by each unsuccessful trial
21Draft for commentSubject to change
Estimate Entropy vs PWD length
Password Entropy Password EntropyLength Bits Length Bits
1 4 10 212 6 12 243 8 14 274 10 16 305 12 18 336 14 20 367 16 30 468 18
22Draft for commentSubject to change
Estimate Entropy vs PWD length
♦ 1- 10 character passwords consistent with curves in Fig. 4 of paper
♦ 10 – 20 character passwords assume that entropy grows at 1.5 bits of entropy per character
♦ Over 20 character passwords assume that entropy grows at 1 bit per character
23Draft for commentSubject to change
Password Rules
♦ We can increase the “effective” entropy of user chosen passwords by imposing rules on them that make the passwords less like ordinary English (or French or German or..) words. For example:– Passwords must contain at least one upper case
letter, one number and one special character– Passwords must not contain any strings from a
dictionary of common strings
24Draft for commentSubject to change
Password Rules♦ Rules reduce the total number of possible
passwords, which is bad– But they can eliminate a lot of commonly used
(easily guessed) passwords and make users select passwords they just wouldn’t otherwise choose, stretching the effective space
♦ If we go overboard rules make it hard to remember the passwords– We let users pick their passwords in the first
place so they can remember them
25Draft for commentSubject to change
Proposal♦ Award an entropy bonus of up to 6 bits for
password composition rules♦ Award an entropy bonus of up to 6 bits for a
dictionary test– Bonus declines for long “pass-phrases”
• Have to contain common words or you can’t remember them• No bonus for over 20 char.
♦ Rules don’t work as well in combination for very short passwords
26Draft for commentSubject to change
How do rules affect entropy?♦ Assign entropy “bonus” for composition rules♦ Consider
– Passwords must contain at least one upper case letter, one lower case letter, one number and one special character
• we’ll often get just one of each, however long the password, at the the beginning or the end of the password
– Redskins1!– Algernon8*– A!1lgernon
• some combinations will be common– 1! 2@ 3#
– Probably some benefit even for very long passwords
27Draft for commentSubject to change
Estimate Entropy vs PWD length with Composition Rule
Password Entropy Password EntropyLength Bits Length Bits
1 - 10 272 - 12 303 - 14 334 15 16 365 18 18 396 20 20 427 22 30 528 24
28Draft for commentSubject to change
Dictionary Test♦ Attacker will use a dictionary first♦ Can be quite extensive♦ Test passwords against a dictionary
– Even a big dictionary doesn’t occupy much of the total password space and half the passwords is one bit of entropy
♦ Dictionary less effective for long passwords– Need to allow phrases of words if long passwords are to
be practical– Assume dictionary test doesn’t help for 20 char or
longer passwords
29Draft for commentSubject to change
Estimate Entropy vs PWD lengthwith Dictionary Test
Password Entropy Password EntropyLength Bits Length Bits
1 - 10 262 - 12 283 - 14 304 14 16 325 17 18 346 20 20 367 22 30 508 24
30Draft for commentSubject to change
Estimate Entropy vs PWD lengthwith Rule & Dictionary
Password Entropy Password EntropyLength Bits Length Bits
1 - 10 322 - 12 343 - 14 364 16 16 385 20 18 406 23 20 427 27 30 528 30
31Draft for commentSubject to change
Entropy estimate versus length
0
10
20
30
40
50
60
0 5 10 15 20 25 30
password length in characters
bits
or
equi
vele
nt e
ntro
py
no rulescompositiondictionaryboth
32Draft for commentSubject to change
A Measurement Experiment?♦ No time to affect the first round of
guidance; but♦ Can we find a source of lots of actual user
selected passwords?– On the order of at least hundreds of thousands– With different rules– Probably could live with password hashes
• Use collision frequencies• Couldn’t use hash(password||username||salt)
33Draft for commentSubject to change
Proposed Thresholds♦ Level 1, minimal assurance
– Probability of a successful in-band password attack less than .0005 (one in 211)
♦ Level 2, low assurance– Probability of a successful in-band password
attack less than .000015 (one in 216).♦ Level 3 , substantial assurance
– Probability of a successful in-band password attack less than .000001 (one in 220).
34Draft for commentSubject to change
Level 1 – Minimal Assurance
♦ Basically for PINs, or passwords sent without encryption– Not expected to resist eavesdroppers
♦ No more than 1 in 211 (2048) chance of in-band attack succeeding over life of password
35Draft for commentSubject to change
Level 2 – Low Assurance♦ Useful for routine e-commerce and e-gov
transactions♦ Must resist eavesdroppers
– resist off-line analysis of authentication protocol run
♦ Resist replays♦ No more than 1 in 216 (65,536) chance of in-band
attack succeeding over life of password♦ Not required to defeat man-in-the-middle or
verifier impersonation attacks
36Draft for commentSubject to change
Level 3 – Substantial Assurance♦ Useful for e-commerce and e-gov transactions of
substantial value♦ Must resist eavesdroppers
– resist off-line analysis of authentication protocol run
♦ Resist replays♦ Resist man-in-the-middle or verifier
impersonation attacks♦ No more than 1 in 220 (1,000,000) chance of in-
band attack succeeding over life of password
37Draft for commentSubject to change
Example – Level 2
♦ 6 characters, randomly selected– 946 possible values (about 6.9×1011)– That’s about 39 bits of entropy
♦ Authentication system must limit the total number of unsuccessful authentication attempts to 946/216 ≈ 10,000,000
38Draft for commentSubject to change
Example – Level 2
♦ 8 characters, user selected, no composition rule or dictionary check– estimate 18-bits of entropy which is about
250,000 ♦ Authentication system must limit the total
number of unsuccessful authentication attempts to 218/216 = 4 trials
39Draft for commentSubject to change
Example - Level 2
♦ 8 characters, user selected, with composition rule and dictionary check– estimate 30-bits of entropy which is about
109
♦ Authentication system must limit the total number of unsuccessful authentication attempts to 230/216 = 215 ≈ 16,000 trials
40Draft for commentSubject to change
Example – Level 2
♦ 6 characters, user selected, with composition rule and dictionary check– estimate 26-bits of entropy
♦ Authentication system must limit the total number of unsuccessful authentication attempts to 226/216 = 1024 trials
41Draft for commentSubject to change
Zero Knowledge Password Auth.♦ Verifier and claimant share a password♦ If attacker fools claimant into an
authentication protocol run, he gains no knowledge of password
♦ Verifier and claimant wind up with a strong shared secret, which can be used in any protocol that requires a symmetric key
♦ Eavesdropper learns nothing about password or strong shared secret
42Draft for commentSubject to change
Diffe-Hellman key exchangePick a generator g of a large finite group G.a and b are large random numbers.
a
(gb)a
b
(ga)b
ga
gb
Alice Bob
Alice and Bob now share a common secret gab.An eavesdropper must solve discrete log problem to learn gab.
43Draft for commentSubject to change
EKE exchangeLet p be Alice’s password, w=hash(p), Bob knows w, and Ew(x) be x encrypted under key w
a
(Dw (Ew(gb)))a
= gba
b
(Dw (Ew(gb)))a
= gab
Ew(ga)
Alice Bob
Alice and Bob now share a common cryptographic strength secret gab.
Ew(gb)
44Draft for commentSubject to change
Token Type by Level
√√√√PIN
√√√√√√√√Strong password with eavesdropper protection
√√√√√√√√√√√√password with zero knowledge protocol
√√√√√√√√√√√√Soft crypto token√√√√√√√√√√√√√√√√Hard crypto token
4321Allowed Token Types
45Draft for commentSubject to change
Required Protections by Level
√√√√√√√√√√√√√√√√Replay
√√√√√√√√Session Hijacking√√√√√√√√Man-in-the-middle√√√√√√√√Verifier Impersonation
√√√√√√√√√√√√√√√√On-line guessing
√√√√√√√√√√√√Eavesdropper
4321Protection Against
46Draft for commentSubject to change
Auth. Protocol Type by Level
√√√√Challenge-reply password√√√√√√√√Tunneled password
√√√√√√√√√√√√Zero knowledge password√√√√√√√√√√√√√√√√Symmetric key PoP√√√√√√√√√√√√√√√√Private key PoP
4321Allowed Protocol Types
47Draft for commentSubject to change
Required Protocol Properties by Level
√√√√√√√√Session Data transfer authenticated
√√√√√√√√√√√√Shared secrets not revealed to 3rd parties
4321Required properties